Preventing Initial Access

Why is it important to prevent initial access?

Gaining initial access is the first step adversaries take when launching an attack. If an organization is able to thwart that initial access, the attacker has no foothold in which to spread throughout the network in search of a more valuable target. The attack will fall short, and the malicious actor will likely move on.

Why is it so hard to prevent initial access?

Traditional detect-and-respond based security only works once a threat is detected, at which that point the network and endpoint itself are already likely compromised. This approach leads to an untenable amount of false positives and does prevent adversaries from gaining initial access into your network. Initial access techniques are successful because traditional Secure Web Gateway (SWG), anti-virus, and sandbox solutions are designed to look for specific patterns, remote file requests, and signatures as a way to detect abnormal behavior. However, Highly Evasive Adaptive Threats (HEAT) employ evasive techniques that render all browser-based security defenses helpless.

Techniques include sandboxes, file inspections, network and HTTP-level inspections, malicious link analysis, offline domain analysis and indicator of compromise (IOC) feeds. Specific techniques include HTML smuggling, sending malicious links through unprotected channels (such as text messaging, social media, professional web networks, and collaboration software), hiding malicious content inside web page source code and using benign websites to deliver sophisticated malware. Essentially hiding in plain sight, HEAT attacks are able to trick traditional SWGs into assuming they are legitimate traffic and bypass all traditional security measures.

What is Menlo Security’s approach to preventing initial access?

While traditional security tools focus on detection, Menlo Security augments existing security strategies through a prevent and detect approach. Menlo focuses on stopping attacks before they make that initial access—effectively rendering the malware impotent. Without access, it can’t spread through the network, gain control or hold systems ransom. We do this primarily through isolation technology.

How does isolation technology bolster security?

Traditional security strategies continue to operate on the fundamental idea that malicious threats can not be stopped and organizations should focus on detecting threats inside the network before they can spread laterally. Detection is important, but organizations shouldn’t sacrifice prevention. It is possible to stop malicious threats from making that initial breach, and an enterprise security strategy should focus on both prevention and detection. Isolation prevents attacks by routing all web traffic through a cloud-based remote browser. It doesn’t matter if content is good or bad, categorized or uncategorized, isolation treats everything as potentially malicious—delivering only safe, sanitized content to the end user. Isolation bolsters detection technologies and tools to enable a holistic approach to security.